{
	"id": "4ef8fc1c-ae66-47fc-835f-14933e49b50c",
	"created_at": "2026-04-06T00:11:36.945276Z",
	"updated_at": "2026-04-10T03:35:34.621874Z",
	"deleted_at": null,
	"sha1_hash": "6b222da390c0a28b16c4c1795f5a5675086927ec",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56960,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:58:20 UTC\n Tool: Avaddon\nNames Avaddon\nCategory Malware\nType Ransomware, Big Game Hunting\nDescription\n(Awake Security) Avaddon is a cryptolocker ransomware written in C++ that is best\nknown for encrypting files and changing the file extension to .avdn. The ransomware\nalso deletes the volume shadow copies and other system backups and typically demands\na ransom ranging between $150 and $900. Since the ransomware uses strong encryption\nalgorithms like AES256 and RSA2048, no decryptor is available and it is impossible to\ndecrypt the file without the key that was used to encrypt it. This ransomware is sold\nsimilar to other Ransomware-as-a-service(RaaS) like REvil. Thus, even someone with\nlimited technical background can become an “affiliate” to spread the malware. In return,\nthe profit gets shared between the threat actor and the affiliate. In this blog post we\ndissect this malware and discuss methods to perform threat hunting for the Avaddon\nransomware family.\nInformation\n\n003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-\n%2020210508.pdf\u003e\nMITRE ATT\u0026CK Malpedia AlienVault OTX Playbook\nLast change to this tool card: 30 December 2022\nDownload this tool card in JSON format\nAll groups using tool Avaddon\nChanged Name Country Observed\nAPT groups\n Riddle Spider [Unknown] 2020-Jun 2021\n1 group listed (1 APT, 0 other, 0 unknown)\n↑\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edb7a031-1b90-4d7c-94b2-659a2d9759f9\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edb7a031-1b90-4d7c-94b2-659a2d9759f9\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=edb7a031-1b90-4d7c-94b2-659a2d9759f9"
	],
	"report_names": [
		"listgroups.cgi?u=edb7a031-1b90-4d7c-94b2-659a2d9759f9"
	],
	"threat_actors": [
		{
			"id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998",
			"created_at": "2023-01-06T13:46:39.207556Z",
			"updated_at": "2026-04-10T02:00:03.246557Z",
			"deleted_at": null,
			"main_name": "RIDDLE SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:RIDDLE SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c",
			"created_at": "2022-10-25T16:07:24.12696Z",
			"updated_at": "2026-04-10T02:00:04.875073Z",
			"deleted_at": null,
			"main_name": "Riddle Spider",
			"aliases": [
				"Avaddon Team"
			],
			"source_name": "ETDA:Riddle Spider",
			"tools": [
				"Avaddon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434296,
	"ts_updated_at": 1775792134,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b222da390c0a28b16c4c1795f5a5675086927ec.pdf",
		"text": "https://archive.orkl.eu/6b222da390c0a28b16c4c1795f5a5675086927ec.txt",
		"img": "https://archive.orkl.eu/6b222da390c0a28b16c4c1795f5a5675086927ec.jpg"
	}
}